From: Max Stepanov <Max.Stepanov@intel.com>
Date: Sun, 8 Dec 2013 11:30:52 +0000 (+0200)
Subject: mac80211: check pairwise key_idx on get_key call
X-Git-Url: http://git.osdn.net/view?a=commitdiff_plain;h=354e159d8c9970969873d66a789d3ac4528c44ff;p=sagit-ice-cold%2Fkernel_xiaomi_msm8998.git

mac80211: check pairwise key_idx on get_key call

Verify that a pairwise key index value on ieee80211_get_key call
doesn't exceed the boundaries of the pairwise key array.

Signed-off-by: Max Stepanov <Max.Stepanov@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
---

diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 35bb71be72bb..0962c77f013e 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -301,9 +301,9 @@ static int ieee80211_get_key(struct wiphy *wiphy, struct net_device *dev,
 		if (!sta)
 			goto out;
 
-		if (pairwise)
+		if (pairwise && key_idx < NUM_DEFAULT_KEYS)
 			key = rcu_dereference(sta->ptk[key_idx]);
-		else if (key_idx < NUM_DEFAULT_KEYS)
+		else if (!pairwise && key_idx < NUM_DEFAULT_KEYS)
 			key = rcu_dereference(sta->gtk[key_idx]);
 	} else
 		key = rcu_dereference(sdata->keys[key_idx]);